Orchestration Rules Workflow

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere follows a specific order for applying orchestration rules:

  1. Filtering rules: These rules are essential to control the traffic of your events Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall.. USM Anywhere does not process nor save events that match a filtering rule.
  2. Suppression rules: USM Anywhere saves the events that match a suppression rule, but does not correlate these suppressed events. By default, USM Anywhere hides these suppressed events. If you want to see these events, click Suppressed in the Search & Filters area. The table displays suppressed events along with all events. See To only display the suppressed events if you want to display just the suppressed events.
  3. Notification, alarm, and response action rules: USM Anywhere processes and correlates all events that match one of these rules.

All orchestration rules, including event filtering rules, are processed on the USM Anywhere Service (control node). USM Anywhere Sensor only processes event filtering rules. Event filtering rules are reapplied on the control node because event enrichment for the event on the control node can modify or add to event details with items not found on the sensor during normalization.

This diagram summarizes the workflow of orchestration rules:

Orchestration Rules Workflow